It does occasionally strip virus attachments from the email, have yet to get a qualified 'virus found' email.

but then you say:

I only seem to get 0 (zero) back as a result

If you are occasionally getting attachment 'viruses' stripped, then it is working as it is intended to. Whether its working EFFECTIVELY depends on whether you are using ONLY ClamAV definitions or whether you have followed my recommendations at the foot of my installation post (see the link) and supplemented them (with Sane definitions). If you dont supplement it, then your results do not surprise me.

Yes Clamwin is still on 0.98.7 so you are advised to state on that until they move CLamd to 0.99 to match. (Theres not that much difference apart from ability to run YARA rules - but without 3rd party definitions clam defs are pretty useless anyway and 0.98.7 is very sufficient from realtime mail scanning threats (with sanesecurity definitions).

I have recently asked 'sherpya' (the provider of oss.netfarm) about the port up but so far there is no movement. The irony is that he is the same man that does the port of Clamav to Clamwin. :/ (See this post and the next 5 or 6 to see discussions on this, the inclusion of Clamd as I have posted here, and his involvement: http://forums.clamwin.com/viewtopic.php?p=18858#18858).

I will checkout your warning about using the %programfile 86% variable, thanks. If I see it causes problems then I will amend the writeup to use actual pathnames rather than the variable.

Out of interest, have you supplemented the definitions with Sanesecurity (as I recommended)? And did you see the instruction about limiting the maximum size? (see point (8) in the instructions - I recently added that and not sure if it would have been there after your implementation)?

jimimaseye wrote:
Out of interest, have you supplemented the definitions with Sanesecurity (as I recommended)? And did you see the instruction about limiting the maximum size? (see point (8) in the instructions - I recently added that and not sure if it would have been there after your implementation)?

Yes I did. I made sure everything else was workjing first then added the Sansecurity bits and changed the max file size

The instructions to get the sansecurity bit installed were somewhat lacking in clarity but I got there in the end, the batch file and automating those was very easy (the same as I use for MySQL backps scripts), once I'd added their locations to my PATH file. Rsync was the biggest pain, it looks to me like the instructions are much more of a Linux setup, but I did get there

I did have to:

uncomment this section:

rem set db=C:\ProgramData\.clamwin\db\

As it didn't find my Clamwin setup (it's all in the default locations)

But once I got that done, it was up and running smoothly

Tip for those using Windows Task Scheduler to setup the Sansecurity update - don't try and schedule a task every hour, it won't give you that option in Task Scheduler, instead set a - One Time Task - Repeat Task every "1 hour" - for a duration of "Indefinitely". Basic I know but operator ignorance on my part meant I spent half an hour working this one out ! I think I should have had more coffee that morning

- A DMARC record. But my hosted VPS provider (1and1) won't allow a text record to be created with a _dmarc prefix. I can't think of any way round this (I can't create a sub-domain beginning with _ either) and it is a limit of 1and1 not HMS in any way

jimimaseye wrote:And did you see the instruction about limiting the maximum size? (see point (8) in the instructions - I recently added that and not sure if it would have been there after your implementation)?

Yep, it wasn't there when I started but had seen it later when I was checking point by point I had followed the instructions correctly

oss.netfarm.it/clamav/ has today just updated the CLAMD.exe file to version 0.99. It is now compatible with the current download version of Clamwin which is also 0.99. Ive just upgraded both and all is working fine. Benefits of 0.99? Erm..... the main thing is that it can now do rule definitions called "Yara"...(whatever that is. https://www.google.co.uk/search?q=yara+rules)

oss.netfarm.it/clamav/ has today just updated the CLAMD.exe file to version 0.99. It is now compatible with the current download version of Clamwin which is also 0.99. Ive just upgraded both and all is working fine. Benefits of 0.99? Erm..... the main thing is that it can now do rule definitions called "Yara"...(whatever that is. https://www.google.co.uk/search?q=yara+rules)

Initially there is a benefit on using Clamwin (over Clamav for windows) due to it having the 'all in one' install and the GUI (with windows integration, scheduling etc). ClamAv for Windows does have this (and the Immunet version is not a free version and uses its own definitions). This is what makes it an attractive proposition. However, as you know, its not a threaded application (yet!) and is resource hungry on scanning. The initial procedure here was the way to get the benefit of Clamwin WITH the benefit of Clamd.

Admittedly, I hadnt even thought about whether the compiled 'ready to go' version of Clamd was available from ClamAV itself and yes, in fact, a quick check (in the link you provide) shows a Clamd.exe bundled. My procedure of using Clamwin + clamd doesnt need full installs of both softwares to be installed and only needs the Clamd component to compliment Clamwin. This finding of clamd (from your link) gives us an alternative to obtain clamd instead of me waiting on Sherpya to update his oss.netfarm.it repository.......ASSUMING that that version of Clamd.exe is compiled and compatible with the Clamwin installed libraries in the same way.

I will attempt a test 'later' to see if this is the case and if so I will update my initial write-up about where to obtain it.

EDIT:

It seems the Clamd.exe versions are different despite both being created for the same versions of ClamAV and for Win32. Size is different (and naturally, also the icon of the executable).

(On the left is the Clad from Clamav, on the right is Clamd from Sherpya (oss.netfarm). Note his version says specifically for "Clamwin" and also 'Sherpya' is the man responsible for porting Clamd to Windows and to Clamwin.)

Ah... There is no "--install" in the original as it is a port from Linux - and Linux don't work that way [/quote]
Thats the beauty of using my Clamwin port - the Clamd version does include the simple 'install' process without the need to mess with service wrappers. That said, the other version (in Clam win32) is a windows port and I dont see any instructions saying that you have to mess with service wrappers for that so how do you actually run it?

Mind you, does that message ("The ordinal 44315 could not be located....") REALLY mean "'install' option not found"? It looks more like an incompatibility of some sort with the libraries in use to me.

Anyway, I will do another test (just curiosity) on my laptop using Clamwin and that Clad version wth a wrapper and I will report back. (Im not hopeful).

I would not call the ClamD code from the ClamWin project a "port" as it has clearly been altered to allow the code to run as a service... It's been "Fork'ed" and therefore should use a different name. Versions are NOT 100% code compatible.

"I wonder what other changes have been made to the code" I phrase while wearing my tinfoil hat...

SørenR.

The quantum rule of insecurity which states that the act of observing how vulnerable a host or service is changes the insecurity level of the service.

At a MS-DOS command prompt(running CMD.EXE), type the following command:

path\INSTSRV.EXE My Service path\SRVANY.EXE

where path is the drive and directory of the Windows NT Resource Kit (i.e., C:\RESKIT) and My Service is the name of the service you are creating.

Example:
C:\Program Files\Resource Kit\Instsrv.exe Notepad C:\Program Files\Resource Kit\Srvany.exe
NOTE: To verify that the service was created correctly, check the registry to verify that the ImagePath value under
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\service name
is set to point to SRVANY.EXE. If this is not set correctly, the service will stop shortly after it starts and return an Event ID 7000 "The service name failed to start."

WARNING: Using Registry Editor incorrectly can cause serious problems that may require you to reinstall your operating system. Microsoft cannot guarantee that problems resulting from the incorrect use of Registry Editor can be solved. Use Registry Editor at your own risk.

For information about how to edit the registry, view the "Changing Keys And Values" online Help topic or the "Add and Delete Information in the Registry" and "Edit Registry Data" online Help topics in Registry Editor.

NOTE: You should back up the registry before you edit it.
Run Registry Editor (Regedt32.exe)and locate the following subkey:
.
.YOU STILL READING?.........
.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\<My Service>
From the Edit menu, click Add Key. Type the following and click OK:

where <path>\<application.ext> is the drive and full path to the application executable including the extension (i.e., C:\WinNT\Notepad.exe)
Close Registry Editor.

By default, a newly created service it configured to run Automatically when the system is restarted. To change this setting to Manual, run the Services applet from Control Panel and change the Startup value to Manual. A service set to Manual can be started in one of several ways:
- From the Services applet in Control Panel

- From a MS-DOS command prompt, type the following:
.
.

KEEP GOING.........
NET START <My Service>

- Use the Sc.exe utility from the Resource Kit. Type the following from a MS-DOS command prompt:

<path>\Sc.exe start <My Service>

where <path> is the drive and directory of the Windows NT Resource Kit (i.e., C:\Reskit).

(Phew! And thats once youve managed to find and download the 'Resource Kit' just to get the INSTSRV program in the first place! Kind of sucks the will out of life.)

Hmmmm. (There is a reason why NSSM is called "the Non-Sucking Service Manager")

Sitting here by the computer, looking out the window... We have had a bit of snow last night... Birds are picking in the snow - I really should go out and fill up the birdseed dispenser... la la la la la...

SørenR.

The quantum rule of insecurity which states that the act of observing how vulnerable a host or service is changes the insecurity level of the service.

i want to update my installation too (running 0.99 with 0.98 as Service)

Do you only replace only the clam.exe (single file) (downloaded from here http://oss.netfarm.it/clamav/) with the existing in the clamwin directory?
Or do you replace the other files in the directory too?

2, net stop CLAMD (this stops Clamd)
3, sc delete clamd (this deletes the existing clamd service)
4, run the install of Clamwin latest over the top of current installation and REBOOT when prompted.
5, Copy over the new Clamd.exe (only) from Oss site (as per instructions)
6, Run the "Clamd --install" command (as per instructions)
7, recheck and restart the services and enable Antivirus (as per instructions)

jimimaseye wrote:Is surgery is the only option to repair/heal? Wont it recover itself? (The caputum tendonsnappen, I mean, not the haemophelia)

Like a rubber band, tendons are under tension as they connect the muscle to the bone. If a tendon is torn or cut, the ends of the tendon will pull far apart, making it impossible for the tendon to heal on its own.

SørenR.

The quantum rule of insecurity which states that the act of observing how vulnerable a host or service is changes the insecurity level of the service.

Seems though that it doesn't scan certain files such as compressed files eg .zip. Did a test via http://www.emailsecuritycheck.net/ and 6/7 got through. Do my results reflect other users? I have set ScanArchive yes in clamd.conf

sew wrote:Seems though that it doesn't scan certain files such as compressed files eg .zip. Did a test via http://www.emailsecuritycheck.net/ and 6/7 got through. Do my results reflect other users? I have set ScanArchive yes in clamd.conf

Im not sure what you are expecting to see.
GTUBE test: was identified correctly by Spamassassin (email 3) - has nothing to do with Antivirus

ZIP file with eicar inside: was identified correctly (email 2)

(Only 1 Zip file is sent.)

There is only the one that is the responsibility of Antivirus (Clam) and it has performed correctly.

The rest is about the ability of Hmailserver ATTACHMENT BLOCKER (which we know has some flaws):

A few days ago I've added foxhole signatures, they worked at first then cryptolocker class viruses appeared again.
Training the Spamassassin was useless either; the score of infected message file was 0.8 *damn*

I set scheduled updates hourly. However official sigupdate.bat couldn't help. I googled for latest signatures and found
one site where the signatures publicly hosted, tons of signatures: http://ftp.swin.edu.au/sanesecurity/

I think its very strange that the latest signatures didnt pick up what you expected yet an older 'mirror' did. Are we sure the configuration for the default databases is correct and the rsync has performed correctly?